Watching The Watchers: The Stalkerware Surveillance Ecosystem

so by now you guys have had time to read the the title of the talk um I'm talking about stock aware and I'm trying to compress what is a very complex topic that I could talk about for hours into quite a short space of time so here we go uh this is me um the GitHub at the bottom is important because I have a lot written about stock aware on that GitHub so uh I'll be bringing that back at the end as well so I don't know if you guys followed the trial of El Chapo Guzman but uh I did because uh it turned out that El Chapo was giving uh the the uh drug cartel uh

Kingpin was giving phones infected with Flexi spy to his top lieutenants and his Mistresses and his wife and what he would do is he would call at an inopportune moment he would call and he would talk to them briefly and then he would hang up and he would activate a remote uh microphone basically use their phone as a remote microphone to listen to what they would say about him after they hung up and this was his way of checking in on people he also had a crazy scheme to infect a local internet cafes around his his headquarters with um malware so that he could make sure that nobody was talking about him but that's a different story this is another

case where this woman had a boyfriend with a life insurance policy and she wanted to kill him the problem was he was sleeping in his car at the time so she installed three different stockholder apps on his phone and made the mistake of hiring an FBI informant to kill him so this is another recent case it's 2017. that's just to illustrate what we're talking about here so that we we can see the the seriousness should we say so I've broken this talk down into three parts we have defining the problem the scope of the problem and then what I think are a few solutions to the problem of stock aware so stock query Basics stock aware is

basically targeted malware you need physical access to the phone to install it it monitors and exfiltrates data it stores that data on a server controlled by whoever makes the app and the basic functionality similar in all of these apps so they collect your text messages like uh log your phone calls they usually have some sort of remote listening capability um fairly standard across the board there's a few with more advanced features there's a few with less features but but that's basically it so there's a bunch of different names for stock aware and defining it is important so we have mobile remote access Trojans spouseware which I guess implies that it's it's mainly married couples use this and I don't

think that's through uh spyware which is a little bit generic and intimate partner surveillance which I I quite like actually because it's uh very specific so stock over companies themselves describe their products as child monitoring tools employee monitoring tools anti-theft apps some of these apps can function and they were called dual use apps so people who study stock aware um so you could use uh find my phone for instance you could install that on someone else's phone and then use it to track their location promotional material for the the actual stock over apps that aren't in the Google Play store or the Apple App Store uh often use quite troubling imagery um they try to play a paranoia they'll

depict domestic violence they'll talk a lot about adultery caused by online interactions so this is part of their marketing uh I talked to uh someone from spitec which is one of the companies that market stalkerware and I asked them if uh I could install this without my wife knowing and they were quite happy to advise me on doing that they have reviews on their site featured and as you can see the bottom one is he has absolutely no idea it is even installed on his phone and that's the top review for their software so this is a case that I was actually involved in I reverse engineered an APK and found a URL for a subdomain of the

stock aware apps domain and on that domain was 95 000 photos and about 12 000 audio recordings sitting in an indexed uh directory with no login no password to access it um so I worked with Lorenzo from motherboard and we eventually got the hosting company to take down the site because we couldn't get a hold of the people who were actually running the app itself uh so this gives you an idea of how much data is is being collected but also being leaked by companies that are handling massive amounts of data with no real interest in securing it at all so when we're looking at the scope of the problem I know we all like to deal

in statistics and uh it's good as a metric soccer is a global phenomenon but companies specialize so we have let me spy here which is based in krakov in Poland so while a lot of these companies might produce say brochures in Google Translate different languages in this case let me spy has an entire version of their site in Polish they produce YouTube videos in Polish they produce blog posts so you'll see that across the board um catwatchful which was back a few slides is a Spanish company so they do an English version of their site and then they have a lot of Spanish content as well so that's important to think about when you're thinking about uh

who's being targeted by this software the localization is an important factor in that and we'll come back to that as well so this is Kaspersky has recently uh decided to reclassify how they deal with stock aware and so they've released figures on infections so they say over the past year they've had 58 000 users that have detected stockware on their phones uh 35 000 of those users had no idea about the software we'll come back to this as well and this is for those of you are wondering how this affects Enterprise or your business there was a study done in 2015 which is interesting but um to be honest the the figures that they're giving are not going to keep you guys

awake at night if this is what you're worried about about two and every thousand uh employees of Enterprise companies are infected with stock order which is significant but uh I don't think it's it's necessarily going to uh to keep anyone that worried about it so when we're looking at the scope of the problem uh I thought that one of the ways to to show this was to look at breaches because these companies get hacked all the time their security is terrible so I've highlighted two in red those are the two that we'll be looking at the database leaks from um you can see here we have 400 000 users 179 000 users this is a lot of

people each one of these accounts represents at least one device a lot of these companies you can have up to five or six devices linked to one username so we're looking at a lot of people who are infected with these apps so we're going to look at WT spy first wtspy is based in the United Arab Emirates uh they were hacked in 2016. their database included a lot of user data but what I was interested in was country ID which I've highlighted in red there and based on that country ID I was able to get a hold of their registration page on their site because their site's still up pretty much untouched from when they

were hacked I would imagine and I was able to work out roughly where their main customers were from now since they're based in the UAE and they Market in Arabic this matches with their their top 10 uh countries that they're selling their apps in Afghanistan I was a little bit confused about but um it's also the first option when you when you register so I'm not sure that it is actually 11 000 users there although that's that's very possible um so that gives you an idea again we're looking at 47 000 people 13 000 people this is a lot of infected devices the second company is hello spy hello spy is a Vietnamese company uh the guy

who runs solo Supply runs about six or seven different companies um and they Market to different uh areas of the world depending so I'm not a photographer by the way apologies for the the map quality but um this is a clustering of the GPS coordinates so at the time of the database leak there was 1 700 active infections and I took the GPS logged for each one of those active infections the first instance as the point of origin so they may have moved around uh the devices but this is the first time that they were ever registered with hello spy so as you can see we have some scattered throughout North America some in Europe

uh South Asia is a hot spot and we'll look more closely at that yeah this is Europe obviously um there are a few in London there's one up in Scotland um and the rest are sort of scattered throughout but when we get to Bangladesh we can see that this is the the main number of users that were active at that time I've kind of wondered about this I've looked for a specific Bangladeshi marketing that they've done there's a few YouTube videos I think maybe they're taking out Google ads I'm not entirely certain uh it's something I need to look into more but it shows the localization that a Vietnamese company would be selling uh to this amount of people in

Bangladesh [Music] so devising solutions to all of this uh because this is a problem that needs to be solved um so first of all we have antivirus this is a really good paper that details um a lot of things to do with stock aware but specifically they tested the efficiency of antivirus apps to detect stock aware and it goes into some detail as to how good these apps are um Eva at the eff has been trying to encourage anti-virus companies to take this problem more seriously and I think that is having some effect as we saw with Kaspersky they're now giving a more strenuous warning when they detect this software instead of just sort of vaguely

worded one that people might not understand this is coming back to uh kaspersky's uh statistics on detected stock aware now what's important about this is that when I first saw these statistics and this was earlier this year I'd never heard of these three apps and I had to go searching for them and the reason I'd never heard about them is because they are specifically Russian they're marketed in the Russian language and to Russian users so it's important once again when you think about localization with these apps that if you install Kaspersky and you expect it to to detect stock aware if these are the main variants of stock aware that they're detecting and this is skewed heavily

towards Russian apps so it's not really one size fits all I'd be very interested to see the detection rates of stock aware that are more common in the West so the main thrust of how I think this problem can be solved is through cutting off the money as simple as that PayPal process is an awful lot of payments for these companies they need to transfer money somehow they need to avoid local taxes um and PayPal is sort of seemingly willing uh partner in this they're um basically allowing violations of the terms of service by allowing companies that are marketing specifically uh products that are designed to break the law and uh it would be I think very

advantageous to cut off this flow of money so that these companies then would not have so much of a reason to Market so heavily uh this is uh a spreadsheet that I came up with myself which shows some of the main uh stockware companies and as you can see PayPal is very heavily represented there is another talk on stock over later which I would recommend that you all go to which is going to deal more with technical aspects and that is at 125 and this is um my GitHub as I mentioned earlier which goes into a lot more detail than I was able to do here because of time so does anybody have any questions

do you not risk that if you cut off their PayPal access they'll go to other systems which are potentially more Anonymous or even worse security wise than PayPal is so that that is definitely a concern but I think this is sort of a crime of opportunity in my mind uh so people think about you know maybe I'll spy on my wife maybe I'll spy on my husband they go online they've used PayPal for eBay PayPal is safe to them they're sending money to a shady company but PayPal to them is something that they can trust if you force them from PayPal onto a less reputable service people are less likely to send their money I think and if you force

them down to using Bitcoin a lot of people are just going to not bother at that point they're they're going to be dissuaded you need to to take make the steps that are required for them to be able to install this app on their wife or husband's phone you need to make more steps and you need to make it more complicated so that that's that's my thought on the matter any more questions if you don't get a chance to ask me a question now by the way um like you can catch me I'm wearing this very bright luminous shirt so if you have any thoughts later on please do come and get me okay if no more questions thank you very

much then thanks very much guys